Azure Active Directory
2 article
Set up Azure Active Directory
Last Updated: November 18, 2021App Creation in SecurEnds Tool In the Admin Console, go to Applications. Click the Add button next to it to begin configuration. Setup Application Select Data Ingestion method as Connector. Enter application Name. Enter the Application Owner email information. Search Connector in Featured Integrations and select Azure Active Directory. Select Local for your Agent. Agent is software that is installed on your on premise environment to pull data from applications such as Active Directory, Database and Custom Applications that are not cloud based. Select Local if the application is cloud based. No agent install is required. You will need to whitelist the SecurEnds IP’s. Your Implementation Consultant can provide these. Select Remote if you installed Agent on-premise. The server where the agent is installed must have connectivity to the on-premises application or database. If a new agent is required, contact your implementation consultant or submit a ticket via the SecurEnds Help Desk using the Report Issue link in the upper right corner of the SecurEnds application. SecurEnds will need to provide files and instructions. Select Match By logic as Default(Email or FirstName and LastName) or Employee Id If we select Default(Email or FirstName and LastName) the system will match the user with Email OR First Name and Last Name while syncing If we select Employee Id the system will only match the Employee ID while syncing Select Include Inactive Users to fetch all users Selecting Yes will include all the Active and Disabled status users to be added in the Matched users for Azure Active Directory. Selecting No will only pull Active users to be added to the Matched users for Azure Active Directory. Include Entitlements Enabled as Yes to load the entitlements on application while syncing. Configure Application Input the following Azure configuration details into SecurEnds: Azure Tenant ID (see chart below for details) Azure Client ID Azure Client Secret Optional: We can include or exclude users and groups in accordance to Microsoft Graph API #filter parameter https://docs.microsoft.com/en-us/graph/query-parameters#filter-parameter User Filter Ex. Say in user criteria we have endswith(userPrincipalName,’#EXT#@test.onmicrosoft.com’) then we will fetch users that have UPN that ends with #EXT#@test.onmicrosoft.com Group Filter We can do the same as with users, in accordance with Microsoft Graph API capabilities Additional Columns Here we can input additional information values from Azure that we want to bring in to be displayed for Review We can support additional columns as : “companyName”, “jobTitle”, “mobilePhone”, “city”, “createdDateTime” IF we input into User Filter box value, “UPN,SAMAccountName” then SecurEnds will bring in “companyName”, “jobTitle”, “mobilePhone”, “city”, “createdDateTime”,”UPN”,”SAMAccountName” as additional columns in the review screen only. NOTE: See below for conversion of terminology; Azure native terms are in left column while SecurEnds native are on the right. Azure Securends Application (client) ID Client ID Directory (tenant) ID Tenant ID Secret Value Client Secret Secret ID Not used Use this chart to select the correct configuration detail during set up Ticketing System Configuration For more information on Ticketing System Configuration, Click here. Click Save once finished to add the connector.
Configuration Details
Last Updated: November 18, 2021Please note, the following steps walk through an example use case and the information that will need to be saved will be specific to your application. Application Registration using Azure Portal To setup the connector between SecurEnds and Azure AD, you need to register SecurEnds as an application within the Azure portal. Doing this will create the service principal object in your Azure AD tenant After registration is complete, you then will be provided with the Tenant Id, Client Secret, and Client Id used within the configuration settings of the SecurEnds tool. Step 1: Application Registration Sign into the Azure portal using your Azure account https://portal.azure.com/ Select Azure Active Directory > App registration > New registration Provide a Name for the application Select the appropriate “Supported account types” Under Redirect URL, select “Web” as the application type, and (optionally) specify a redirect URL if your application requires it After setting the values, select Register. The application registration is created, and the Overview page is presented Copy the Application ID for use in your application code. This value is the Client ID in SecurEnds used for ServiceNow configuration. Copy the Directory ID for use in your application code. This value is the Tenant ID in SecurEnds used for ServiceNow configuration. You will need to generate a client secret/Key or Secret Value. This value is the Client Secret in SecurEnds used for ServiceNow configuration. Select the Certificates & secrets Select New client secret Provide a description for the secret, and an expires duration. The Client Secret/key will be displayed when these settings are saved and compulsory, copy the key to the clipboard, once you leave the page the key will not be visible. Copy the Secret Value for use in your application code. When done, select Add NOTE: Grab the right Secret! Azure Securends Application (client) ID Client ID Directory (tenant) ID Tenant ID Secret Value Client Secret Secret ID Not used Use this chart to select the correct configuration detail during set up Step 2: Azure Permissions After registering SecurEnds as an application within the Azure portal, the next step is to make sure the application has the correct API permissions to access data within Microsoft Graph. To do this the user or administrator must grant the correct permissions via a consent process. From the Home screen select Azure Active Directory > App registration > Created App (under owned Applications) > API Permissions > Add Permissions Under Microsoft Graph, give the following types of permissions of Delegated and Application permissions. It should be everything short of read and write permissions. Delegated permissions: User.Read User.Read.All User.ReadBasic.All Directory.AccessAsUser.All Directory.Read.All Application permissions: User.Read.All Directory.Read.All Once added, click to grant admin consent for the permissions. Once complete, each permission will have a green checkmark as shown below
